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(57) The invention relates to a method for key re- 
covery cryptography to be used in a systenD consisting 
of: 

two conversation partners who exchange secret in- 
formation in encrypted form with each other by way 
of the public telecommunications infrastructure; 
one or more legitimate co-listeners possibly present 
(for example,a government agency, or an employer 
of the conversation partners), who do have the en- 
ciphered information at their disposal, but are not 
able to decipher it; 

one or more trusted parties (known as Trusted Re- 
covery Parties - TRPs) in principle different from the 
conversation partners, who act as virtual conversa- 
tion partners, who can decipher the Information, but 
do not have the enciphered information at their dis- 
posal; 

ne or more monitors possibly present for monitoring 
the exchange between the conversation partners 
(for example, one of the conversation partners, a 
PTT or an employer of the conversation partners), 

in which the conversation partners as part of the ex- 
change also make the same secret information availa- 
ble to the abovementioned co-listener if the latter ac- 
quires cooperation (simultaneously, or with some delay) 
from one of the TRPs (or several in the event of splitting 
or sharing techniques being used), in the process the 
conversation partners also send additional information 



at the same time, known as binding data, by means of 
which the monitor can check that said making of Infor- 
mation available can also be carried out properly, with- 
out the monitor having to have at his disposal secret in- 
formation. Characteristic of the method is that it relates 
to an exchange in which the secret information is en- 
crypted with the asymmetrical systems RSA, Rabin or 
Diffie-Hellman or a combination thereof. 
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Description 

1 . Introduction 

The development of a worldwide information soci- s 
ety on the basts of "electronic superliigliways" is moving 
forv^rd at a rapid pace; the increasing interest in the 
Internet is indicative of this. However, in the case of 
many applications of the electronic superhighways the 
reliability of information sent or received is very impor- 
tant. More particularly, it is very important for many ap- 
plications that: 



to do so. An important condition in the realization of a 
PKI is that it must also be possible to use the latter from 
software, and not just from hardware (such as the clip- 
per chip, see [Clip]). 

2. Prior art 

In order to permit an analysis of this problem, we 
are introducing the following (notational) explanation of 
(hybrid) public key encryption for confidentiality. If per- 
son Alice wants to send a confidential report M encrypt- 
ed to person Bob. then: 
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[confidentiality] information is not viewed on the 

way by unauthorized persons, 
for example because it is priva- 
cy-sensitive information; 

[correctness] information is not changed on the 

way by unauthorized persons, 
for example because it is finan- 
cial information. 

If the information society really does want to get off the 
ground, it must be possible to guarantee these reliability 
requirements; a view which is shared by many govern- 
ments in the world. It is expected that a worldwide data 
protection infrastructure, known as a public key infra- 
structure (PKI), will have to be set up. In a PKI public 
keys are certified by a network of trusted parties (such 
as, for example, notaries) and are used for asymmetrical 
encryption (such as RSA). There are countless reasons 
for stating that governments must be a major parly in 
the realization of PKIs. To mention one: in a certain 
sense certified public keys are the digital passports of 
the information society, and the organization of pass- 
ports is, with good reason, a government task. 

However, the methods which protect the confiden- 
tiality of information from being viewed by unauthorized 
parties in principle also provides protection from being 
viewed by authorized parties, like law enforcement, se- 
curity and intelligence agencies. When the latter parties, 
with a court authorization, intercept the communication 
of a suspect they cannot access the relevant informa- 
tion. In other words, if govemments simply promote the 
development of PKIs, in this way they will also be making 
life easier for criminals. It is this fact that makes it difficult 
for governments to promote the provision of public key 
infrastructures simply as a matter of course. 

The questbn is therefore: how to provide a PKI 
which promotes confidence among law-abiding citizens 
and organizations, but does not make life easier tor 
criminals; in other words, as soon as a suspect uses the 
PKI, the protection offered by the system as regards 
confidentiality can be given up for law-enforcement, se- 
curity or intelligence agencies when the latter, with a 
court authorization, intercept the communication of a 
suspect. Moreover, removing the protectbn can also be 
of importance for other parties having a need and a right 



Alice generates a random session key S; 
Alice encrypts the report M with a conventional 
(symmetrical) cryptosystem by means of S 
Alice encrypts S with the public key of Bob. 

Then Alice sends the packages in b. and c. to Bob. 
Bob decrypts package c with his private key and in this 
way has S at his disposal; decrypting package b with S 
again gives the message M. 

This set-up can now be made safe for law-abiding 
citizens, but not for criminals, in various ways. An obvi- 
ous method is the Key Management Infrastructure pro- 
posal, a draft proposal of the American Office of the 
President. Here, the private key of users is deposited 
with a trusted third party who cooperates in investiga- 
tions of law-enforcement, security or intelligence agen- 
cies if the latter have the proper court authorizations. 

There are many disadvantages in this; the solution 
Is e.g. difficult to apply internationally (for example, 
where does the key go?). In [VKT] even more problems 
are enumerated; another one is that if Alice (in the above 
explanation) is a suspect and Bob is not, then law-en- 
forcement, security or intelligence agencies have to be 
able to make use of the private key of Bob who is not a 
suspect A proposal [RH] of the University of London 
(Royal Holloway) is in fact based on the same idea, but 
makes the private key of users - by a complicated sys- 
tem of Key Escrow Agents - in fact reconstructable by 
the Key Escrow Agents in two countries independently 
(i.e. co-operation between the Key Escrow Agents is not 
required). This in principle produces an intemational so- 
lution (although some countries (e.g. Norway) may not 
want to be able to access the keys at all). The public 
encryption system which Royal Holloway uses is fairly 
rigid, so that in fact the session key in point a. is fixed. 
This is not only against the principle of pub. encryption, 
but also has all kinds of other annoying consequences. 

A more liberal and flexible solution is that each user 
selects one or more Trusted Retrieval Parties (TRP), for 
example to be regulated by law, and that a package d, 
is added to the communication : 
S encrypts with the public key of the selected TRPs. 

These TRPs therefore act, as it were, as virtual ad- 
dressees: they receive no messages, but should the 
TRPs receive them, they would then be able to decipher 
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(and read) them, if now an authorized party intercepts 
the communication, then it can obtain the (unique!) ses- 
sion key S from block d with the aid of the TRP. and then 
It can then find the message M again by deciphering 
block b by means of S. In principle the authorized par- 
tycan also ask the TRP both to carry out the decodings 
and to return the message M directly on the basis of 
blocks a-d; however, this gives the TRP in principle a 
viewing of the message, which is not directly desirable. 

A risk which is inherent in key recovery solutions is 
that if a TRP is corrupted, the (secret) information of his 
users can then reach unauthorized parties. A solution 
to this is the use of "splitting" and 'sharing* techniques. 
This means that the private key belonging to a TRP is 
not in the hands of one person or organization, but is 
divided among several persons or organizations, say a 
y number, of "sub-TRPs". These parts form a "y from y 
splitting" scheme of the private key if: 

all y "sub-TRPs" together are capable of restoring 
the private key; 

fewer than y "sub-TRPs" are not capable of becom- 
ing any the wiser over the private key. 

One speaks of an 'x from y sharing" scheme if there 
is an X (smaller than y), so that: 

an arbitrary x number of "sub-TRPs" are capable of 
restoring the private key; 

fewer than x "sub-TRPs" are not capable of becom- 
ing any the wiser over the private key. 

This proposal not only gives users a very wide 
choice concerning whom they want to trust (whom they 
take as TRP); because several TRPs (1 from the send- 
ing country; 1 from the receiving country) can be used, 
this in principle gives the same intemational advantages 
of the Royal Hotlaway concept. However, a disadvan- 
tage is that it can easily be abused by criminals. For the 
sake of clarity, abuse means that people do want to 
make use of the system, but do not observe the rules 
which are made for the system (e.g. by contract). By way 
of illustration, if Alice just sends any data instead of 
block d. Alice is actually using the advantages of the 
system, but not the criminal "disadvantages". 

Within the (patented; see US Patent Specifications 
5.557.346 and 5,557.765) TIS-CKE/Recoverkey 
scheme [TIS] this type of unilateral abuse can be pre- 
vented by making the receiving software carry out a re- 
construction check (the recipient knows S and can 
therefore reconstruct package d. by means of the public 
key of the TRP and subsequently compare the result 
with package d. However, this check can be bypassed 
by means of a (simple) operation In the software pro- 
gram (always put the construction check at "OK"). In oth- 
er words, conspiring criminals can (easily) make use of 
the advantages of the system, but not of the criminal 
disadvantages. 



In [VKT] and in particular [VT] a (partial) solution was 
found to this problem, with the requirement that the con- 
spiracy fraud (as e.g. mentioned above) need not be 
prevented, but that it must actually be able to be detect- 
5 ed by third parties (by means of spot checks). Third par- 
ties, also called monitors, in this case are considered as 
including (equipment of) network operators and (inte- 
met) service providers; i.e. parties who in fact already 
have all (encrypted) data at their disposal. However, one 
TO can also think of detection operations carried out by the 
control system and/or software of users themselves. 

An additional requirement made of the detection is 
that the third parties must be able to detect this fraud 
without having secret information at their disposal. 
IS Therefore, the privacy of users must not be adversely 
affected. The requirement that certain third parties must 
detect fraud can be set as a legal requirement before a 
party is allowed to operate as a provider. What specifi- 
cally has to happen about detected fraud is a questk>n 
20 of national legislation. 

More specifically, this concept - called binding cryp- 
tography - therefore consists of adding an additional 
block of information. 

25 e. Binding data 

With block e (and the public key of addressed and 
selected TRPs) it must be possible to establish whether 
the session key encrypted in block c is the same as that 

30 in block d, without secret information needing to be and/ 
or being known. In a fol tow-up article [VT] a method is 
designed for binding data for a known public key encryp- 
tion system: EIGamal. This article also mentions split- 
ting and sharing techniques for EIGamal, by means of 

3S which the (already mentioned) problem of corruption of 
TRPs can be solved. 

3. New Invention 

40 This section in the description deals with a compos- 
ite binding construction of three other public key sys- 
tems, i.e. Diffie-Hellman [DH], RSA [RSA] and Rabin's 
[Rabin] variant thereon. 

For these systems there is a slight deviation from the 
45 general binding proposal mentioned in point 2. in the 
sense that different public key encryption systems are 
used for encrypting the same message (e.g. sessbn 
key). The functionality of the binding data is unchanged: 
without secret knowledge being necessary or becoming 
so available, it can then be established by means of the 
binding data that the (various types of) encryption pro- 
tect the same secret information. 

3.1 RSA/Rabin (description) 

55 

In an RSA system [RSA] each participant selects a 
modulus n which is the product of two (large) prime num- 
bers p and q, and also the public and private exponents 
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e and d, which are related as toilows: e.d = 1 (mod Icm 
(p-1, q-1)). Here "Icm" stands for "Least Common Mul- 
tiple". The public exponent and the modulus n are made 
publicly known, generally combined with a certificate of 
authenticity by a trusted party. 

II (e, n) is Alice's public RSA key, then a message 
0<S<n is encrypted by (another party) Bob as c= S® mod 
n. Alice decodes this message by calculating c*^ nnod n. 

In Rabin's variant [Rabin] (henceforth simply called 
Rabin) e is selected as equal to 2; a Rabin public key 
therefore consists only of a modulus n. A message S<n 
is encrypted by Alice as c = mod n. A disadvantage 
is that decoding by Bob is no longer unique: in principle 
there are four possible messages S which meet = c 
mod n. Within the Rabin system Bob must be able in 
one way or another to select the correct S from the four 
Moreover, the prime numbers p and q in the case of Rab- 
in are often selected as so-called Blum integers, be- 
cause calculating square roots is then simple to achieve. 

3.2 Diffie-Helman (description) 

The Diff ie-Hellman key agreement [DH] was the first 
practical solution for two parties for reaching a common 
secret key by means of an unsafe (public) channel. The 
system makes use of a cyclical subgroup r of a (mutti- 
plk:ative}y written) group A, in which the so-called dis- 
crete log problem cannot be solved in a practical way. 
Let n, a large (say, 160-bit) number, be of the order of r. 
and let y be a generator of r. The elements y, T and A 
(and not necessarily n) are given to all participants by 
an issuing party (IP). Various choices are possible for 
the groups r, A, but in a typical example r = A, and A is 
the multiplicative group of a finite element or the group 
of points on an elliptical curve over a finite field. 

If in the basic version of the protocol two participat- 
ing parties A and B wish to agree upon a secret key, this 
is what they do: 

1 . A generates an arbitrary number ka smaller than 
n (or an upper bound thereof) and sends Zp^ = to 
B. 

2. & generates an arbitrary number kb smaller than 
n (or an upper bound thereof) and sends Zq = to 
A. 

3. A receives Zq and calculates the common secret 
key as {z^)^. 

4. B receives z^ and calculates the common secret 
key as (z^)"*. 

This basic version of the protocol protects only the 
confidentiality of the common key, and not the authen- 
ticity of the parlies. There are various variants of the pro- 
tocol which add authenticity to the basic protocol. For 
example, all partk:ipating parties could be given fixed 
public keys which are certified by a (trusted) third party. 
Better solutions are found in the Station-to-Station [STS] 
and MTI [MTI] variants of Diffie-Hellman. 



3.3 McCurley's EIGamal variant (description) 

The EIGamal public key system [EIG], like Diffie- 
Hellman, makes use of a cyclic subgroup G of a (multt- 
5 plicatively written) group H, in which the so-called dis- 
crete log problem cannot be solved in a practical way 
Various choices are possible for the groups G, H, but in 
a typical example G=H and H is the multiplicative group 
of a finite element or the group of points on an elliptical 
TO curve over a finite field. 

The elements g. G and H are made publicly known. 
In order to participate in the system, a participant selects 
his own private key x (a number smaller than the order 
of g or an upper bound thereof) and makes his public 
IS key y = g^ publicly known, combined with a certificate 
of authenticity or otherwise. 

If y ts Alice's public EIGamal key, then a message 
S, an element from H, is encrypted by (another party) 
Bob by first selecting an arbitrary k (a number smaller 
than the order of g or an upper bound thereof) and cal- 
culating the following: (t, u):= (g^ S.y^. Alice decrypts 
this message by calculating u/l^. 

In McCurley's variant of EIGamal [McG] the multi- 
plicative group of Z/nZ is taken as H. in which case n, 
as in the case of RSA, is the product of two (secret) 
prime numbers p and q. A group produced by an arbi- 
trary element g from the multiplicative group Z/nZ can 
be taken as group G. In [McG] special prime numbers 
are selected and g is taken equal to 16. The reason for 
this is that in this selection McCurley can prove that 
someone who can break this form of EIGamal is also 
capable of factorizing the modulus n. 

In fact, this selection of the prime numbers p, q and 
the generator g is not necessary; we shall also consider 
arbitrary prime numbers p, q and an arbitrary g in the 
multiplicative group of Z/nZ (in which therefore n = p.q). 

3.4 Mutti Recoverable RSA/Rabin (invention) 

The RSA/Rabin encryption of the same secret S 
with several can be unsecure, cf. [Has]. That is also why 
we choose to make the encrypted copies of S intended 
for the TRPs with a system other than RSA, namely Mc- 
Curley's variant of EIGamal, in which the RSA/Rabin 
modulus n used by the user is actually used and a gen- 
erator g is selected in Z/nZ. So if m TRPs are involved. 

their private keys are of form x1 , x2 xm (numbers < 

n) and their public keys are of the form y^ = g^^, y2 = 

Therefore, if R = mod n is the encryption with a 
public key (e. n) of a user, then the copies for the TRPs 
are of the form: (A^, ):= (g\ S.{y^)% (Ag. 82):= (g^, 
S.(y2)'^, (A3. B3) = (gk s.(y3)k), (A^, BJ = {gK S. 
(Vm)'^) modulo n). Note that in the case of all these 
m encryptions the same random k is selected smaller 
than n by the user 

In other words, the message mentioned in Section 
2 has the following form: 
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E. Data encrypted with S 
A. R = S« mod n; 

(Ai. B,):= (gk S.(y,)X), (A^. 62):= (g^ S.iVzH 

(A3. B3) = (gk S.CVa)"*) (A„>. BJ = {gK S.(yjk), 

all modulo n. 5 

If the selected session key S is (arbitrarily) selected 
in the group G (instead of the larger group H), i.e. S is 
of the form g^ mod n with 2 < n arbitrary, then it can be 
proved that the breaking of RSA with the EIGamal/Mc- 10 
Curley recovery fields is just as difficult as without these 
fields. From (formal) security considerations, it can 
therefore be decided to select S in group G. 

The binding data constructed by us will prove that 
((Aj)®, (Bj)®) relate to an EIGamal encryption of S relative is 
to the public key yi; this is sufficient to prove that block 
A and B contain the same S. This is equivalent to proving 
that for each i equal to 1 ,2... m the logarithm of expres- 
sion (A|)® mod n relative to the base g modulo n is the 
same as the logarithm of the expression (8-,)® mod n di- 20 
vided by R modulo n relative to the base yj. The latter Is 
simple to achieve with a variant on a non-Interactive pro- 
tocol such as described in [VT]. We shall illustrate this 
for m=l; the general case follows in an analogous way 
In the case m=1 binding data must show that one k ex- 2S 
ists. so that: 

k e 

a = g = ( A^ ) mod n 

30 

b=(y^ )^ = (B^ fm mod n (*) 

This goes as follows: first of all, a safety parameter 
v is fixed: a chance of 1/2^ that the binding data gives -35 
an incorrect conclusion is considered acceptable. The 
safety parameter will, for example, lie around 80 (bit). In 
additbn, a one-way secure hash function is fixed, the 
number of output bits of which is sufficiently great (say, 
160). 40 
Subsequently: 

1. The sending conversation partner for this pur- 
pose generates an arbitrary I smaller than n and 
constructs: c = g*" mod n and d = (yj)"" mod n, which 
are added to the binding data. 

2. The sending conversation partner cateulates. In 
a publicly known manner, a one-way-secure hash, 
called w, of c and d and possibly other prescribed 
information which is sent at the same time (e.g. a so 
and b), possibly as part of the binding data. 

3. The sending conversation partner calculates z = 
w.k + 1 and looks whether this number still gives 
adequate uncertainty about the k and I, in other 
words whether the number of solutions k,f on the ^5 
basis of the equation z = w.k +1 is sufficiently great 

(at least >2^) to make "guessing" k,l virtually impos- 
sible. If this is the case, the sending conversation 



partner adds z to the binding data; otherwise he 
starts again at step 1 of the method. 

A monitor is now able, on the basis of the binding 
data (which contains c, d and z), to check as follows that 
equivalence (*) is fulfilled. The monitor (re)calculates - 
in the prescribed manner - the one- way-secure hash, 
called w. of c and d and possibly other information and 
checks that: 

z w _, Z . .... 

g = a . c and y = b . d. (* ) 

If this is the case, then the monitor accepts that the en- 
crypted RSA key in package R is the same as in (A^, 
Bi ), otherwise he does not accept it. 

The binding data constructed in the above method 
can be reduced considerably by applying the "Fiat- 
Shamir" heuristic. In this case the binding data contains 
the hash w instead of the c and d.; the binding data thus 
contains z and w. The monitor calculates elements c and 
d on the basis of equivalence (**), calculates - in the 
prescribed manner - on the basis of this c and d and 
possibly other informatk>n the one-way-secure hash w*. 
and compares this with the hash w sent atong with it. If 
w and w* are the same, then the monitor accepts that 
the encrypted RSA key in package R Is the same as in 
(Ai , B^), otherwise he does not accept it. 

We should further like to point out that the splitting 
and sharing techniques mentioned in [VT| for EIGamal 
are also applicable to McCurley's variant of EIGamal, 
and thus in particular to the abovementioned recovera- 
ble RSA. 

3.5 Single recoverable DIffie-Hellman (invention) 

This binding method for Diffie-Hellman systems 
consists of selecting the generator g used here (and pro- 
duced cyclical group rand surrounding group A) in such 
a way that the order thereof is equal to an RSA modulus 
n, the product of two (large) secret prime numbers p and 
q. In the single case (where only one TRP is involved) 
it is assumed that the prime numbers p and q are known 
to the TRP (or parts in the case of several sub-TRPs 
where splitting or sharing techniques have been used 
for the prime numbers p and q), and that n=p.q is publicly 
known (e.g. published). 

Of course, r must also be selected in such a way 
that the discrete log problem In r cannot be solved In a 
practical way. There are countless ways in which 7, T 
and A can be selected. For example, a prime number P 
of the form P=s.n + 1 could be selected, where s is a 
small number. The element y (not equal to 1 mod P) 
would then have to be selected in such a way that 
mod P. 

In order to make Diffle-Hellman systems of this type 
recoverable, we propose that if one party is sending a 
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typical Diftie-Hellman message of the type yS mod P to 
a conversation partner (where S is known only to the 
sending party), recovery is constructed by accompany- 
ing this message by a Rabin encryption modulo n, i.e. 
S2 mod n. In other words, a typical Recoverable Diffie- 
Hellman message has the form (H.R) = (7^ mod P , 
mod n). 

Moreover, the recovery field nrrad n need not in 
principle be sent by both sending partners: rt is sufficient 
if one of the two does it. This applies fully to the earlier 
mentioned STS and MTI protocols, which are based on 
Diffie-Hellman. 

The binding data constructed by us will now prove 

that: 

R is the square of the logarithm of the above mentioned 
block H relative to base (generator) y. (***). 

For this a one-way-secure hash function is first es- 
tablished, the number of output bits of which is sufficient- 
ly great (say, 160). Then: 

1. the sending conversation partner generates an 
arbitrary number T smaller than n, calculates T2 = 
T2 mod n and calculates a^ = and a2 ~ V^, which 
are added to the binding data; 

2. the sending conversation partner calculates, in a 
publicly known manner, a one-way-secure hash, 
called w. from a-, and a2 and possibly other pre- 
scribed information sent at the same time, possibly 
as part of the binding data; 

3. the sending conversation partner calculates z = 
w.S -I- T mod n and adds this to the binding data; 

a monitor is now able, on the basis of this binding data, 
to check as follows that assertion (***) is true: 

4. the monitor (re)calculates the one-way-secure 
hash, called w, from a-i and a2 and possibly other 
prescribed information, calculates h^y^* w^ = w^ 
mod n and checks that: 

yz=Hw.ai and (H-w. a^)^= (Hg)'^ . ag; if it does, then 
he accepts that assertion (***) is correct, otherwise 
he does not accept it. 

The binding data constructed in the above method 
can be reduced considerably by applying the 'Fiat- 
Shamir' heuristic. In this case the binding data consists 
of (only) z and w; the monitor calculates elements a^ 
and 32 on the basis of the equivalence mentioned in the 
above point 4, and calculates - in the prescribed manner 
- on the basis of this a^ and a2 and possibly other infor- 
mation the one-way-secure hash w", and compares this 
with the hash w sent along with It. If w and w* are the 
same, then the monitor accepts that the encrypted RSA 
key in package R is the same as in package H. otherwise 
he does not accept it. 



3.6 Multi Recoverable DIffle-Hellman (invention) 

Making Diffie-Hellman multiply recoverable con- 
sists simply of combining the technique mentioned in 

5 point 3.5 with the technique mentioned in point 3.4, 
where (inter alia) Rabin encryption is made multiply re- 
coverable. It is then obvious to destroy the private Rabin 
key (i.e. the prime numbers p and q whose product 
forms the modulus n): the TRPs all have at their disposal 

10 only EIGamal private keys. In this way one cyclical sub- 
group G, surrounding group H and the modulus n can 
be used to make Diffie-Hellman exchanges possible; 
different TRPs can always be selected (on the basis of 
a selected EIGamal key of a TRP). This is a convenient 
feature in an international context. By way of illustration, 
if American Alice wants to have a Diffie-Hellman ex- 
change with British Bob, then she encloses an encrypt- 
ed session key (plus binding data) for a British TRP. en- 
crypted with his public EIGamal key; if Alice wants to 

20 have a Diffie-Hellman exchange with French Frank, 
then she encloses an encrypted session key (plus bind- 
ing data) for a French TRP. encrypted with his public 
EIGamal key. In both cases she can use the same pa- 
rameters (g, G, H, n). 
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in which the conversation partners as part of the ex- 
change also make the same secret information 
available to the abovementloned co-listener if the 
latter acquires cooperation (simultaneously, or with 

5 some delay) from one of the TRPs (or several in the 
event of splitting or sharing techniques being used), 
and in the course of which the conversation part- 
ners also send additional information at the same 
time, known as binding data, by means of which the 

TO monitor can check that said making of information 
available can also be carried out properly, without 
the monitor having to have at his disposal secret 
information; characteristic of the method is that it 
relates to an exchange in which the secret informa- 

IS tion, known as S, is encrypted as: 

A R[S], an RSA encryption with a public RSA 
key with parameters (e, n); 
B i[S], M2[S],...,M^[S], a series of EIGama! en- 
20 cryptions in the multiplicative groupof Z/nZ gen- 

erated by a publicly known element g; 



2S A. R[S], an RSA encryption according to Rab- 

in's variant (e=2) with a public RSA key with pa- 
rameter n; 

B. M-,[S). M2[S],...,M^[S], a series of EIGamal 
encryptions In the multiplicative group of Z/nZ 
30 generated by a publicly known element g; 



Claims 



A method for key recovery cryptography to be used 35 
in a system consisting of: 

two conversation partners (from possibly differ- 
ent countries) who are exchanging secret infor- 
mation in encrypted form with each other by 40 
way of the public telecommunications infra- 
structure; 

one or more legitimate co-listeners possibly 
present (for example.a government agency, or 
an employer of one of the conversatkun part- 45 
ners). who do have the enciphered information 
at their disposal, but are not able to decipher it; 
one or more trusted parties (known as Trusted 
Recovery Parties) in principle different from the 
conversation partners, who act as virtual con- so 
versation partners, who can decipher the infor- 
mation, but who do not have the enciphered in- 
formation at their disposal; 
one or more monitors possibly present for mon- 
itoring the exchange between the conversation ss 
partners (for example, (an apparatus of) one of 
the conversatk)n partners, a PTT or an employ- or if 

er of the conversation partners). 



DH[S], a publicly known element from a subgroup 
r (of a surrounding group A) up to the power of S, 
in which for the following applies: 7" = 1, in whfch 
the private keys - but not necessarily all of them - 
bek>nging to blocks A and B are known either to the 
conversation partners or to the TRPs (or may be- 
come known in the event of splitting or sharing tech- 
niques being used): in the first case the private RSA 
key will, for example, be known to the receiving par- 
ty and the private EIGamal keys (or parts thereof) 
to a number of TRPs, while in the second case, for 
example, nobody will have at his disposal the pri- 
vate Rabin key, and only the TRPs will have at their 
disposal the private EIGamal keys (or parts there- 
of). 

If the encryptbns mentioned under Claim 1 are writ- 
ten out as: 

A. R = S® mod n; 

B. (Ai. Bi):=: (gk S,{y,)% (Ag, 83):= (g^ S. 
(ya)'^). (Aa, B3) = (gk S.{y^n ■ . (A^. B„) = (gX. 
S.(y^)k), ail modulo n. and in which y^.ya. ■ Vm 
are the corresponding EIGamal keys; 
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A. R=:S2 mod n; 

B. (Ai. Bi):= (gk. S.(y,)»^). (Ag. Bg):^ (g^. S. 
(ya)*^). (A3. B3) = (gk a(y3)»<). .... (A^. B^) = {q\ 
S.(yn,)'^). ail modulo n; 

C. Ht = 7^; s 

then the binding data mentioned in Claim 1 serves 
to prove in the first case that for each i equal to 
1,2, m the expressions ((A|)®, (Bj)®) relate to an 
EIGamal encryption of S relative to the public key 10 
y{, and in the second case that the expressions 
((Ai)2, (Bi)2) relate to an EIGamal encryption of S 
relative to the public key yi,and also that R modulo 
n is the square of the log y (Hi). 

IS 

3. The way In which the binding data mentioned in 
Claim 1 succeeds in proving that for each I equal to 

1,2 m the expressions ((Aj)®, (Bj)^) relate to an 

EIGamal encryption of S relative to the public key 

yi, as mentioned in Claim 2, consists of proving that 20 
for each i equal to 1 , 2 m the logarithm of ex- 
pression (Aj)® relative to the base g modulo n is the 
same as the logarithm of the expression (Bj)® divid- 
ed by R nrKxJulo n relative to the base y;; the way In 
which the binding data mentioned in Claim 1 sue- 
ceeds in proving that for each i equal to 1 , 2, .... m 
the expressions ((Ai)2 (Bi)2) relate to an EIGamal 
encryption of S relative to the public key yj as men- 
tioned in Claim 2, consists of proving that for each 
iequalto1.2, . ... m the logarithm of expression (Ai)^ 30 
relative to the base g modulo n is the same as the 
logarithm of the expression divided by R mod- 
ulo n relative to the base (y). 

4. A method in which the binding data mentioned in 3S 
Claim 1 senses to prove that R modulo n is the 
square of the log^ (H^), as mentioned in Claim 2, as 
follows: 



er information, calculates = 7", w2 = mod 
n and checks that: 

'f={H^r.a^ and ((H^^.a^)^ = (Hg)^^. ag; If it 
does, then he accepts that R modulo n ts the 
square of the log7(H.,), as mentioned in Claim 
2; if this is not so, then he does not accept it. 

5. A (relatively) safe recovery of RSA/Rabin is con- 
structed if the session key S, as mentioned, inter 
alia, In Claim 1 and 2, is (arbitrarily) selected in the 
group produced by g, i.e. S is of the form g^ mod n, 
with z smaller than n arbitrarily. In this case it can 
be proved that breaking RSA/Rabin is just as diffi- 
cult with recovery as without recovery. 

6. From the method which is explained in Claim 4, an 
equivalent can be constructed by reversing the 
roles of (or Hg) and a^ (or ag), selecting as z S 
+ w.T and by adapting the checking steps in 4d. 

7- The binding data constructed in the methods from 
Claims 4 and 5 can be reduced by using the Fiat- 
Shamir heuristic (see end of 3.5 from the descrip- 
tion). 



the sending conversation partner generates an 40 
arbitrary T smaller than n, calculates T2 = T^ 
mod n and calculates a^^r^^ and 82=7^^, which 
are added to the binding data; 
the sending conversation partner calculates, in 
a publicly known manner, a one-way-secure 4S 
hash, called w, of a-, and 82 and possibly other 
information which is sent at the same time, pos- 
sibly as part of the binding data; 
the sending conversation partner calculates z 
= w.S + T mod n and adds this to the binding 50 
data; 

a monitor, as mentioned in Claim 1 , is now able, 
on the basis of the binding data, to check as 
follows that R modulo n is the square of the log 
Y(H-,), as mentioned in Claim 2: ss 

the monitor calculates the one-way-secure 
hash, called w, from a-, and a2and possibly oth- 
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(57) The invention relates to a method tor key re- 
covery cryptography to be used in a system consisting 
of: 

two conversation partners who exchange secret in- 
formation in encrypted form with each other by way 
of the public telecommunications infrastructure; 
one or more legitimate co-listeners possibly present 
(for example, a government agency, or an employer 
of the conversation partners), who do have the en- 
ciphered information at their disposal, but are not 
able to decipher it; 

one or more trusted parties (known as Trusted Re- 
covery Parties - TRPs) in principle different from the 
conversation partners, who act as virtual conversa- 
tk)n partners, who can decipher the information, but 
do not have the enciphered information at their dis- 
posal; 

ne or more monitors possibly present for monitoring 
the exchange between the conversation partners 
(for example, one of the conversation partners, a 
PTT or an employer of the conversation partners), 

in which the conversation partners as part of the ex- 
change also make the same secret information availa- 
ble to the abovementioned co-listener if the latter ac- 
quires cooperation (simultaneously, or with some delay) 



from one of the TRPs (or several in the event of splitting 
or sharing techniques being used), in the process the 
conversation partners also send additional information 
at the same time, known as binding data, by means of 
which the monitor can check that said making of infor- 
mation available can also be carried out properly, with- 
out the monitor having to have at his (disposal secret in- 
formation. Characteristic of the method is that it relates 
to an exchange in which the secret information is en- 
crypted with the asymmetrical systems RSA, Rabin or 
Diffie-Hellman or a combination thereof. 
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